diff --git a/lam/lib/security.inc b/lam/lib/security.inc
index 33eb67cd..598fd6d3 100644
--- a/lam/lib/security.inc
+++ b/lam/lib/security.inc
@@ -44,7 +44,7 @@ function startSecureSession() {
 	// start session
 	if (isset($_SESSION)) unset($_SESSION);
 	if (strtolower(session_module_name()) == 'files') {
-		$sessionDir = substr(__FILE__, 0, strlen(__FILE__) - 17) . "/sess";
+		$sessionDir = dirname(__FILE__) . "/../sess";
 		session_save_path($sessionDir);
 	}
 	@session_start();
diff --git a/lam/templates/config/conflogin.php b/lam/templates/config/conflogin.php
index 89c0977f..db49a679 100644
--- a/lam/templates/config/conflogin.php
+++ b/lam/templates/config/conflogin.php
@@ -37,9 +37,10 @@ include_once('../../lib/status.inc');
 
 // start session
 if (strtolower(session_module_name()) == 'files') {
-	session_save_path("../../sess");
+	session_save_path(dirname(__FILE__) . '/../../sess');
 }
-@session_start();
+session_start();
+session_regenerate_id(true);
 
 setlanguage();
 
diff --git a/lam/templates/config/confmain.php b/lam/templates/config/confmain.php
index 267afb81..f2d65318 100644
--- a/lam/templates/config/confmain.php
+++ b/lam/templates/config/confmain.php
@@ -3,7 +3,7 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2009  Roland Gruber
+  Copyright (C) 2003 - 2010  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -53,7 +53,7 @@ if (isset($_POST['passwd'])) $passwd = $_POST['passwd'];
 if (!isset($passwd) && !isset($_SESSION['conf_isAuthenticated'])) {
 	$_SESSION['conf_message'] = _("No password was entered!");
 	/** go back to login if password is empty */
-	require('conflogin.php');
+	metaRefresh('conflogin.php');
 	exit;
 }
 
@@ -71,7 +71,7 @@ if ((!isset($_SESSION['conf_isAuthenticated']) || !($_SESSION['conf_isAuthentica
 	}
 	$_SESSION['conf_message'] = _("The password is invalid! Please try again.");
 	/** go back to login if password is invalid */
-	require('conflogin.php');
+	metaRefresh('conflogin.php');
 	exit;
 }
 $_SESSION['conf_isAuthenticated'] = $conf->getName();
diff --git a/lam/templates/config/mainlogin.php b/lam/templates/config/mainlogin.php
index 513d6d23..f597034a 100644
--- a/lam/templates/config/mainlogin.php
+++ b/lam/templates/config/mainlogin.php
@@ -3,7 +3,7 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2009  Roland Gruber
+  Copyright (C) 2003 - 2010  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -37,9 +37,10 @@ include_once('../../lib/status.inc');
 
 // start session
 if (strtolower(session_module_name()) == 'files') {
-	session_save_path("../../sess");
+	session_save_path(dirname(__FILE__) . '/../../sess');
 }
-@session_start();
+session_start();
+session_regenerate_id(true);
 
 setlanguage();
 
diff --git a/lam/templates/login.php b/lam/templates/login.php
index a39dcb9e..66764ba6 100644
--- a/lam/templates/login.php
+++ b/lam/templates/login.php
@@ -45,15 +45,50 @@ include_once("../lib/config.inc"); // Include config.inc which provides Config c
 
 // set session save path
 if (strtolower(session_module_name()) == 'files') {
-	session_save_path("../sess");
+	session_save_path(dirname(__FILE__) . '/../sess');
 }
-session_start(); // Start LDAP Account Manager session
+
+// start empty session and change ID for security reasons
+session_start();
+session_destroy();
+session_start();
+session_regenerate_id(true);
 
 // save last selected login profile
 if(isset($_POST['profile'])) {
 	setcookie("lam_default_profile", $_POST['profile'], time() + 365*60*60*24);
 }
 
+// init some session variables
+$_SESSION['lampath'] = realpath('../') . "/";  // Save full path to lam in session
+
+$default_Config = new LAMCfgMain();
+$_SESSION["cfgMain"] = $default_Config;
+$default_Profile = $default_Config->default;
+if(isset($_COOKIE["lam_default_profile"])) {
+	$default_Profile = $_COOKIE["lam_default_profile"];
+}
+// Reload loginpage after a profile change
+if(isset($_POST['profileChange'])) {
+	logNewMessage(LOG_DEBUG, "Change server profile to " . $_POST['profile']);
+	$_SESSION['config'] = new LAMConfig($_POST['profile']); // Recreate the config object with the submited
+}
+// Load login page
+else {
+	$_SESSION["config"] = new LAMConfig($default_Profile); // Create new Config object
+}
+
+$_SESSION['language'] = $_SESSION["config"]->get_defaultLanguage();
+if (isset($_POST['language'])) {
+	$_SESSION['language'] = $_POST['language']; // Write selected language in session
+}
+$current_language = explode(":",$_SESSION['language']);
+$_SESSION['header'] = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\">\n\n";
+$_SESSION['header'] .= "<html>\n<head>\n";
+$_SESSION['header'] .= "<meta http-equiv=\"content-type\" content=\"text/html; charset=" . $current_language[1] . "\">\n";
+$_SESSION['header'] .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n		<meta http-equiv=\"cache-control\" content=\"no-cache\">";
+
+
 /**
 * Displays the login window.
 *
@@ -79,15 +114,6 @@ function display_LoginPage($config_object) {
 		setcookie("Key", base64_encode($key), 0, "/");
 		setcookie("IV", base64_encode($iv), 0, "/");
 	}
-
-	$_SESSION['language'] = $config_object->get_defaultLanguage();
-
-	$current_language = explode(":",$_SESSION['language']);
-	$_SESSION['header'] = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\">\n\n";
-	$_SESSION['header'] .= "<html>\n<head>\n";
-	$_SESSION['header'] .= "<meta http-equiv=\"content-type\" content=\"text/html; charset=" . $current_language[1] . "\">\n";
-	$_SESSION['header'] .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n		<meta http-equiv=\"cache-control\" content=\"no-cache\">";
-
 	// loading available languages from language.conf file
 	$languagefile = "../config/language";
 	if(is_file($languagefile) == True)
@@ -347,8 +373,6 @@ function display_LoginPage($config_object) {
 
 // checking if the submitted username/password is correct.
 if(!empty($_POST['checklogin'])) {
-	$_SESSION['lampath'] = realpath('../') . "/";  // Save full path to lam in session
-
 	include_once("../lib/ldap.inc"); // Include ldap.php which provides Ldap class
 
 	$_SESSION['ldap'] = new Ldap($_SESSION['config']); // Create new Ldap object
@@ -419,12 +443,6 @@ if(!empty($_POST['checklogin'])) {
 		$result = $_SESSION['ldap']->connect($username,$_POST['passwd']); // Connect to LDAP server for verifing username/password
 		if($result === 0) {// Username/password correct. Do some configuration and load main frame.
 			$_SESSION['loggedIn'] = true;
-			$_SESSION['language'] = $_POST['language']; // Write selected language in session
-			$current_language = explode(":",$_SESSION['language']);
-			$_SESSION['header'] = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\">\n\n";
-			$_SESSION['header'] .= "<html>\n<head>\n";
-			$_SESSION['header'] .= "<meta http-equiv=\"content-type\" content=\"text/html; charset=" . $current_language[1] . "\">\n";
-			$_SESSION['header'] .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n		<meta http-equiv=\"cache-control\" content=\"no-cache\">";
 			// set security settings for session
 			$_SESSION['sec_session_id'] = session_id();
 			$_SESSION['sec_client_ip'] = $_SERVER['REMOTE_ADDR'];
@@ -440,49 +458,28 @@ if(!empty($_POST['checklogin'])) {
 				// connection failed
 				$error_message = _("Cannot connect to specified LDAP server. Please try again.");
 				logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
-				display_LoginPage($_SESSION['config']);
-				exit();
 			}
 			elseif ($result == 81) {
 				// connection failed
 				$error_message = _("Cannot connect to specified LDAP server. Please try again.");
 				logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
-				display_LoginPage($_SESSION['config']);
-				exit();
 			}
 			elseif ($result == 49) {
 				// user name/password invalid. Return to login page.
 				$error_message = _("Wrong password/user name combination. Please try again.");
 				logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (wrong password).');
-				display_LoginPage($_SESSION['config']);
-				exit();
 			}
 			else {
 				// other errors
 				$error_message = _("LDAP error, server says:") .  "\n<br>($result) " . ldap_err2str($result);
 				logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
-				display_LoginPage($_SESSION['config']);
-				exit();
 			}
+			display_LoginPage($_SESSION['config']);
+			exit();
 		}
 	}
 }
-// Reload loginpage after a profile change
-elseif(!empty($_POST['profileChange'])) {
-	logNewMessage(LOG_DEBUG, "Change server profile to " . $_POST['profile']);
-	$_SESSION['config'] = new LAMConfig($_POST['profile']); // Recreate the config object with the submited
-	display_LoginPage($_SESSION['config']); // Load login page
-}
-// Load login page
-else {
-	$default_Config = new LAMCfgMain();
-	$default_Profile = $default_Config->default;
-	if(isset($_COOKIE["lam_default_profile"])) {
-		$default_Profile = $_COOKIE["lam_default_profile"];
-	}
-	$_SESSION["config"] = new LAMConfig($default_Profile); // Create new Config object
-	$_SESSION["cfgMain"] = $default_Config; // Create new CfgMain object
 
-	display_LoginPage($_SESSION["config"]); // Load Login page
-}
+display_LoginPage($_SESSION["config"]);
+
 ?>